Login Sign Up

CVE-2021-25167

8.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary operating system commands on Aruba AirWave Management Platform systems without authentication. It affects organizations using AirWave Management Platform versions before 8.2.12.1 for network management.

💻 Affected Systems

Products:
  • Aruba AirWave Management Platform
Versions: All versions prior to 8.2.12.1
Operating Systems: Linux-based appliance OS
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations of affected versions are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Airwave by Arubanetworks

View all CVEs affecting Airwave →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands, steal sensitive data, deploy ransomware, or pivot to other network systems.

🟠

Likely Case

Unauthorized access leading to configuration changes, data exfiltration, or installation of backdoors for persistent access.

🟢

If Mitigated

Limited impact due to network segmentation and strict access controls preventing external exploitation.

🌐 Internet-Facing: HIGH - Remote unauthenticated exploitation allows attackers to compromise systems directly from the internet.
🏢 Internal Only: HIGH - Even internally, the vulnerability allows unauthenticated command execution on affected systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

CWE-78 indicates OS command injection, which typically has low exploitation complexity. Public proof-of-concept exists for similar AirWave vulnerabilities.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.2.12.1 or later

Vendor Advisory: https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-010.txt

Restart Required: Yes

Instructions:

1. Download AirWave Management Platform 8.2.12.1 or later from Aruba support portal. 2. Backup current configuration. 3. Apply the update following Aruba's upgrade documentation. 4. Restart the system as required.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to AirWave Management Platform to trusted management networks only

Access Control Lists

all

Implement firewall rules to block external access to AirWave web interface and management ports

🧯 If You Can't Patch

  • Immediately isolate the AirWave system from internet access and restrict to management VLAN only
  • Implement strict monitoring and alerting for any access attempts or unusual system behavior

🔍 How to Verify

Check if Vulnerable:

Check AirWave web interface > Help > About to see current version. If version is below 8.2.12.1, system is vulnerable.

Check Version:

ssh admin@airwave-host 'cat /etc/issue' or check web interface at https://airwave-host/LOGIN

Verify Fix Applied:

After patching, verify version shows 8.2.12.1 or higher in Help > About section.

📡 Detection & Monitoring

Log Indicators:

  • Unusual command execution in system logs
  • Unexpected process creation
  • Failed authentication attempts followed by successful access

Network Indicators:

  • Unusual outbound connections from AirWave system
  • Traffic to unexpected ports or IP addresses
  • HTTP requests with command injection patterns

SIEM Query:

source="airwave" AND (event_type="command_execution" OR process="unexpected_process" OR http_uri="*;*" OR http_uri="*|*")

📊 Metadata

CVE ID: CVE-2021-25167
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: April 29, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-25167, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)